Образовательный проект «SnakeProject» Михаила Козлова

⇒ FreeBSD and Nix ⇐

CISCO

Voice(Asterisk\Cisco)

Microsoft

Powershell

Python

SQL\T-SQL

1С

Общая

WEB Разработка

ORACLE SQL \ JAVA

Мото

Стрельба, пневматика, оружие

Саморазвитие и психология

FreeBSD: milter-greylist + postfix + clamav + amavis + spamassasin

FreeBSD: milter-greylist + postfix + clamav + amavis + spamassasin

##### Серые списки - milter-greylist + postfix

Установите milter-greylist:
pkg install milter-greylist
или
cd /usr/ports/mail/milter-greylist && make install clean

Создайте файл конфигурации milter-greylist:
cd /usr/local/etc/mail
cp greylist.conf.sample greylist.conf

Включить milter-greylist в /etc/rc.conf:
echo 'miltergreylist_enable="YES"' >> /etc/rc.conf
echo 'miltergreylist_runas="postfix:postfix"' >> /etc/rc.conf

Настроим юелые и серые списки + правила:
greylist.conf:

user "postfix:postfix"

list "my network" addr { 127.0.0.1/8 }

list "trust network" addr { 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 }

list "grey users" rcpt { testuser@domain.local root@domain.local postmaster@domain.local }

dnsrbl "PBL" zen.spamhaus.org 127.0.0.10/31

racl whitelist list "my network"
racl whitelist list "broken mta"
racl whitelist list "trust network"
racl greylist dnsrbl "PBL" delay 30m autowhite 3d
racl greylist list "grey users" delay 30m autowhite 3d
racl whitelist default

/usr/local/etc/postfix/main.cf:
smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock, inet:localhost:50055

/usr/local/etc/rc.d/milter-greylist start
/usr/local/etc/rc.d/postfix restart

В /var/log/maillog после отправки локально письма будет что-то типа:
skipping greylist because address 10.0.2.2 is whitelisted,
(from=<testuser@domain.local>, rcpt=<testuser@domain.local>, addr=[10.0.2.2][10.0.2.2]) ACL 13

##### АНтивирус clamav + amavis + spamassasin

### clamav

cd /usr/ports/security/clamav && make install clean
Указываем опции:
[x] ARC           Enable arch archives support            
[x] ARJ           Enable arj archives support             
[x] DMG_XAR       Enable DMG and XAR archives support     
[x] DOCS          Build and/or install documentation      
[ ] EXPERIMENTAL  Build experimental code                 
[x] ICONV         Encoding conversion support via iconv   
[ ] IPV6          IPv6 protocol support                   
[x] JSON          JSON file/format/parser support         
[ ] LDAP          LDAP protocol support                   
[x] LHA           Enable lha archives support             
[x] MILTER        Compile the milter interface            
[x] PCRE          Use Perl Compatible Regular Expressions
[ ] STDERR        Print logs to stderr instead of stdout  
[ ] TESTS         Run compile-time tests (req. python)    
[x] UNRAR         RAR decompression support               
[x] UNZOO         Enable zoo archives support       

vi /usr/local/etc/clamd.conf
LogFile /var/log/clamav/clamd.log
LogFileMaxSize 2M
LogTime yes
LogClean yes
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /var/db/clamav
LocalSocket /var/run/clamav/clamd
ScanMail yes

echo 'clamav_clamd_enable="YES"' >> /etc/rc.conf
echo 'clamav_freshclam_enable="YES"' >> /etc/rc.conf
freshclam
/usr/local/etc/rc.d/clamav-clamd start

### amavis + spamassasin
### получая письмо от postfix, передает его части на проверку clamav и spamassasin
### spamassasin подтянется с установкой amavis

cd /usr/ports/security/amavisd-new && make install clean
[ ] ALTERMIME     Use AlterMime for defanging/disclaimers  
[x] ARC           ARC support with archivers/arc           
[x] ARJ           ARJ support with archivers/arj           
[x] BDB           Use BerkeleyDB for nanny/cache/snmp      
[x] CAB           CAB support with archivers/cabextract    
[x] DOCS          Build and/or install documentation       
[x] FILE          Use newer file(1) utility from ports     
[ ] FREEZE        FREEZE support with archivers/freeze     
[x] IPV6          IPv6 protocol support                    
[ ] LDAP          Use LDAP for lookups                     
[x] LHA           LHA support with archivers/lha           
[x] LZOP          LZOP support with archivers/lzop         
[x] MSWORD        Ms Word support with textproc/ripole     
[ ] MYSQL         Use MySQL for lookups/logging/quarantine
[ ] NOMARCH       ARC support with archivers/nomarch       
[ ] P0F           Passive operating system fingerprinting  
[x] P7ZIP         P7ZIP support with archivers/p7zip       
[ ] PGSQL         Use PgSQL for lookups/logging/quarantine
[ ] RAR           RAR support with archivers/rar           
[x] RPM           RPM support with archivers/rpm2cpio      
[x] SASL          Use SASL authentication                  
[ ] SNMP          Install amavisd snmp subagent            
[x] SPAMASSASSIN  Use mail/spamassassin                    
[ ] SQLITE        Use SQLite for lookups                   
[ ] TNEF          Add external tnef decoder converters/tnef
[x] UNARJ         ARJ support with archivers/unarj         
[x] UNRAR         RAR support with archivers/unrar         
[x] UNZOO         ZOO support with archivers/unzoo         
[x] ZOO           ZOO support with archivers/zoo       

Ошибка:
amavisd-new-2.11.0_2,1 archivers/rar is a 32-bit binary port and is not
compatible with amd64.
Лечится:
RAR=off: RAR support with archivers/rar

Добавляем в автозагрузку:
echo 'amavisd_enable="YES"' >> /etc/rc.conf
echo 'spamd_enable="YES"' >> /etc/rc.conf
echo 'spamd_flags="-u vscan"' >> /etc/rc.conf

/usr/local/etc/postfix/main.cf:
content_filter = smtp-amavis:[127.0.0.1]:10024

/usr/local/etc/postfix/master.cf:

smtp-amavis unix - - n - 2 smtp -o smtp_data_done_timeout=600s -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=2 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks_style=host -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

/usr/local/etc/amavisd.conf:

$mydomain = 'domain.local'; #Для отладки, после отключить - 0 $log_level = 5; @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); $max_servers = 2; $max_requests = 2; $daemon_user = 'vscan'; $daemon_group = 'vscan'; #Подбирать данные параметры придется вручную $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 6.2; # add 'spam detected' headers at that level $sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail) $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent $sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From # $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off $penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn database) $penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam $bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces @whitelist_sender_maps = ( ['.domain.local', 'admin@frienddomain.com'] ); $myhostname = 'mail.domain.local'; $notify_method = 'smtp:[127.0.0.1]:10025'; $forward_method = 'smtp:[127.0.0.1]:10025'; $final_virus_destiny = D_DISCARD; $final_banned_destiny = D_BOUNCE; $final_spam_destiny = D_BOUNCE; $final_bad_header_destiny = D_PASS; @av_scanners = ( ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], qr/\bOK$/m, qr/\bFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ] ); @av_scanners_backup = ( ['ClamAV-clamscan', 'clamscan', "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ] );

cd /usr/local/etc/mail/spamassassin && cp local.cf.sample local.cf

spamassassin 2>&1 -D --lint
sa-compile -D --list

# Если будет ошибка с sa-update
sa-update

# Ошибка
# run_av (ClamAV-clamd) FAILED - unexpected ,
# output="/var/amavis/tmp/amavis-20180913T161124-30389-FfbYEejA/parts
# : lstat() failed: Permission denied
pw usermod clamav -G vscan

/usr/local/etc/rc.d/clamav-clamd start
/usr/local/etc/rc.d/amavisd restart
/usr/local/etc/rc.d/postfix restart

Комментарии пользователей